I just wanted to know what the difference is between static code analysis and code review. How are each of these two done? More specifically, what are the tools available today for code review/static analysis of PHP? I would also like to know about good tools for code review for any language.

This question came from our site for professional and enthusiast programmers.

A code review is generally a manual process whereby another programmer looks over your code. It's a way to spot little mistakes or deviations from coding conventions etc, and a good way to improve overall code quality. Static code analysis is something you can use a tool for, though I have never done this myself. Interested to see what answers others have
–
appclayMar 26 '12 at 5:00

7 Answers
7

Code review is something people do, static analysis is something machines do. There are (sometimes good) static analysis tools. Code review is when a colleague/mentor/professor/friend goes over your code and gives you constructive criticism.

Static analysis is, on the other hand, an automated process in which a machine, informed by what it knows about the language it is analyzing (usually from the type system), analyzes a program and tries to pick out things that could be incorrect, inefficient, poor style, or otherwise suboptimal.

I've always been under the impression that code review is a sort of static analysis, since it's a way of measuring the health of the software without executing it.
–
BuhbMar 26 '12 at 8:51

4

@Buhb: it crucially adds knowledge of the context. A code reviewer should understand if the code is doing what is expected to do. A static tool will (at best, if the language allows for it via some decoration/assertion/contract) check that formally everything is ok... So you could put it the other way: static analysis is a sort of code review, performed algorithmically.
–
FrancescoMar 26 '12 at 9:47

Just to add, Lint (static analyst): Dude that's not needed!! Colleague (Reviewer): You can do it that way too!!
–
KushMar 19 '13 at 11:50

Static analysis is the process of analyzing a software without executing it. This is very good and recommended, but you have to keep in mind that

different static analysis tools have different understanding of the code they are studying, hence they can signal (or not signal) different issues. One tool can give a clean report, and the other may complain about a million things.

a dynamic tool (to name an example, think of valgrind) can find many other issues, at the price of a serious burden on the resource consumption (time, memory usage). This is so because you are usually running an instrumented version of the software. Notice that, by being instrumented in some way (replace your malloc with a debugging malloc) it is not exactly identical to your software (as you can see from the execution times)

Both of these approaches suffer from the lack of context: they don't know what the sw is supposed to achieve.

Code review is done by another coder, who supposedly knows it and can check

if the code is right

if the software is semantically correct.

It is much more expensive and it has a varying degree of repeatability but is a great help.

As always, there is not a single silver bullet which will fix all the bugs and avoid all the problems.
Applying - as much as possible given the place, the code, the time, the three forms of check (static, dynamic, more eyes (and brains) actually looking at the code) is recommended.

ps: I must note that it is usually much better to apply the tools from scratch. Converting a legacy system is a much less pleasurable experience, due to false positives. If you start from scratch and always aim at keeping the analysis tool clean, you will probably avoid a lot of problems.

pps: as for tools, it depends on the language. In the C and C++ world you can start by looking at Visual Studio itself, which contains a built-in static analysis tool. A relatively complete list can be found on Wikipedia.

ppps: Static analysis is more suited to static languages, like C or C++. For Python it can be really difficult to say if a name which refers to a list at a point will refer to a list for the rest of the program, due to its dynamic properties. This doesn't mean that nothing can be done, as a JIT effort like PyPy shows.

Code Review is when A senior or a dedicated authority checks your code, your way of coding, the standards followed in the code and specifically the logic level of the code

As far As static analysis is concerned, it is the analysis of computer software that is performed without actually executing programs built from that software (analysis performed on executing programs is known as dynamic analysis)

OM's answer is essentially correct, except that I quibble with 'A Senior or a Dedicated Authority checks your code...'. It's true that some dysfunctional shops conduct code reviews in this parent/child manner, many (and better) shops have a peer-to-peer code review system that doesn't resemble a teacher grading a homework problem. Where I work it's just as common for a junior to review a senior's work. The objective is to have a second pair of eyes look at all code before it is checked in.
–
Jim In TexasMar 26 '12 at 5:26

2

@JimInTexas, same in our shop. I would say the most important (long term) outcome of code reviews is spreading knowledge, unifying practices and architectural / design vision across the team. In this respect, a junior reviewing a senior's code is at worst a great way of learning local best practices - but who says a senior never makes mistakes and a junior can never spot these?
–
Péter TörökMar 26 '12 at 7:16

sorry to insult you. As far as what my (disappeared?) comment was intended to say - do you know of any reason why a human being cannot offer the same comments you provide as examples of output from static code analysis?
–
sq33GMar 27 '12 at 10:41

@sq33G: No. Any person with office supplies (practically infinite amount of paper) can simulate arbitrary Turing machine. However it is boring and time-consuming. (Possibly not the one given but say undefined behaviours in C).
–
Maciej PiechotkaMar 19 '13 at 11:21

Ah. So the real answer to the OP's question is that Turing machines are not human-complete.
–
sq33GMar 19 '13 at 13:11

Static analysis is when an artifact is analyzed without being executed. Although it can be applied to any artifact, it is often applied to source code or object code and refers to the use of specific tools to analyze and gain information about these work products. These tools produce reports that are interpreted by an engineer for use in determining the quality of the system under construction, and as a guide to planning development and maintenance. Wikipedia has a list of tools for static analysis, organized by language and with a brief description of their capabilities.

Reviews are a human evaluation of some work product, which could be code. Reviews can also be conducted on designs or other documents as well. The idea is that people familiar with the work product other than the developer are looking at it in order to find mistakes, ranging from security problems to violations of the coding standard.

Technically, a code review can be considered a form of static analysis, since the code is not actually executed during the review. However, in common terminology, "static analysis" typically refers to machine parsing of source or object files while "review" indicates that humans are the one doing the analysis.

Code review is useful technique to smell problems in source code very early stage. As part of this exercise many issues like performance, scalability, and coding standards identified and rectified. This will improve code quality.

Static analysis is used for analyze code quality metrics like cyclometric complexity, maintainability index, depth of inheritance, and class couplings.
Various tools available in the market to analyze code qualities. C# developer uses Microsoft visual studio for generating metric reports.

1) It doesn't have to be before the code is committed - code review is done by people and 2) I find the description of diff tools as code review tools "interesting" certainly they are tools used to identify code for review but if I were asked about code review tools I'd probably point at those that help manage the process (I've used Kiln and Crucible for example).
–
MurphMar 26 '12 at 7:00